Identityserver4: how to transform custom ApplicationUser properties to claims in a hybrid flow

You can store the company id in the cookie when you sign in the user. This will be available to you on the profile service.

Thanks @leastprivilege

I am a newbie in web development. Would you mind tell me how to access this cookie from Profile service.

I searched the context but couldn't find any way to get the cookie.

Thanks in advance.

Oh I see - you are using hybrid flow...

Well in that case you don't have access to the cookie when the claims are retrieved. You need to temporarily store that value somewhere - database, cache etc

Don't we capture the subject claims when we create the code and store them with the code?

Would it be possible to create an extension point using which we can inject our desired claims in the hybrid flow as well.

You can add custom claims at login, or from the profile service. Not sure why you'd need any other extensibility point to add claims.

@brockallen the issue in my case is the so called company Id cannot be prestored in a database as it's captured at the time of login. In a hybrid flow only the default claims is taken. And I have no way accessing this company id in the profile service

Would you recommend an easy way to do this ?

Did you try what @leastprivilege suggested?

You can store the company id in the cookie when you sign in the user.

Yes I stored the cookie but as @leastprivilege said there is no way to access the cookie in the profile service. I want to add the company Id in the token itself.
Please help me to find a way

Right, but you do have access to the Subject and Subject.Claims on the ProfileDataRequestContext in your IProfileService.

Yes you are right, we do have access to the subject claim and my question is how I can get the company id in the IprofileService so that I can add to the subject claim and subsequently add to the token? I need a way to grab the comapnyId from the login screen and add to the token.

I hope I was clear.

how I can get the company id in the IprofileService so that I can add to the subject claim and subsequently add to the token

Add the company id as a claim at login time. That claim will be available on the ProfileDataRequestContext.Subject.Claims in the IProfileService.

Oh. You mean to add the company id as a claim in the ClaimsIdentity at the time of login and this will be available in the context?

Yes, this is what @leastprivilege said:

You can store the company id in the cookie when you sign in the user. This will be available to you on the profile service.

Ok thanks. I didn't really understand what @leastprivilege meant. When he said to add to cookies what I thought was to create a new cookie named customerId and access that cookie in the profile service.

Will try this tomorrow at the office and will update you the details. Thanks a ton!!!

Hi @brockallen
I am not getting the ClaimnsPrincipal even after successfully login in.

Please look at the image below.

and as per one of the stack overflow anwer

Since ASP.NET Identity authentication is based on cookies the User.IsSignedIn() method returns true if the authentication cookie is set for current request. This cookie is created by _signInManager.PasswordSignInAsync(..) and stored in the response (not the request) of the action method.

The next action method will receive the cookie in the request and that's why you'll see User.IsSignedIn() return true in that method and not in the method that actually performs the sign in

Now in this scenario where can I add my custom claim because I want to add the cliam before the cookie is created in the first place.

Am I missing something here?

Since you're using the SignInManager, it's creating the claims principal and cookies. So either don't use it, or use their abstraction for adding claims via the IUserClaimsPrincipalFactory.

Thanks @brockallen. That's what exactly I did in the first place to get the claims which was already part of the user and persisted in the database. My only concern was this so called company Id which can be captured as a choice at the time of login.

So the only way might be to store the company Id in session variable and access it in custom implementation of IUserClaimsPrincipalFactory.

Am I doing the right thing by using Session variable or is there any other best practice?

Well, you're in a bad position because Microsoft's limited design of the ASP.NET Identity library -- essentially making assumptions for you that all of your claims at login would only ever be from the database. You could put the value in the Items in the HttpContext and then inject the IHttpContextAccessor into your custom IUserClaimsPrincipalFactory ctor.

I opened an issue with Microsoft to make this easier: https://github.com/aspnet/Identity/issues/976

I think you should now have a workaround (for now).

Thanks a lot for your great help.
Right now managing with the workaround you suggested.
Special thanks for opening an issue with Identity team. Lets hope that they will find a workaround as you suggested.
Get Outlook for iOS

On Sun, Oct 2, 2016 at 5:31 PM +0400, "Brock Allen" [email protected] wrote:

Closed #330.

—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub, or mute the thread.

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.